Skip to content

403 Forbidden errors when using swagger client #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mterrel opened this issue Dec 15, 2018 · 0 comments
Closed

403 Forbidden errors when using swagger client #8

mterrel opened this issue Dec 15, 2018 · 0 comments

Comments

@mterrel
Copy link
Contributor

mterrel commented Dec 15, 2018

I'm trying to use npm module swagger-client along with the AWS swagger specs generated by aws2openapi and am running into some trouble.

More specifically, I'm using the cloudformation swagger spec from here:
https://github.com/APIs-guru/openapi-directory/raw/master/APIs/amazonaws.com/cloudformation/2010-05-15/swagger.yaml

And performing the following:

  1. Load cloudformation swagger spec from file
  2. Call swagger-client resolve with the spec to resolve $refs
  3. Call swagger-client buildRequest with the resolved spec, operationId, and parameters, including Action and Version.
  4. Remove the #Action portion of the URL returned from buildRequest
  5. Use aws4 to sign the request and generate the correct region-specific URL
  6. Use node-fetch with the signed request against the actual AWS API endpoint generated by aws4

In response, I get a 403 Forbidden error with the following info:

<AccessDeniedException>
  <Message>Unable to determine service/operation name to be authorized</Message>
</AccessDeniedException>

I believe the problem is that the generated swagger spec is incorrect in specifying that Version and Action should be in the HTTP headers. And therefore, the request that buildRequest creates has the Version and Action parameters in the HTTP header. However, the AWS docs only describe putting these parameters in the query parameter portion of the URL. And looking at the requests that the official AWS Javascript SDK generate, those also put Version and Action in query parameters.

Have you tested generating requests that require the Action parameter using v4 authentication? If so, would you point me to those tests so I can see if there's something I might be doing wrong?

I have found that by changing the swagger spec for cloudformation to have Version and Action be in query instead of in header, that I can get successful responses from AWS. I'll submit a pull request for a change to aws2openapi that seems to work well for me.

*There is a small caveat to getting successful requests: the URL generated by swagger-client has to be edited to remove the hash portion that's in the swagger path entry. I think open issue #2 essentially covers this problem and I don't really have any good ideas for a better solution other than to just edit the URL.
mterrel added a commit to mterrel/aws2openapi that referenced this issue Dec 15, 2018
@mterrel
Fix 403 Forbidden errors with v4 signatures
ec01e3b 
Fixes APIs-guru#8
Changes the Version and Action parameters to be in 'query' instead of
'header'. This aligns with AWS docs, examples, and the official AWS SDK
client behavior.
@mterrel mterrel mentioned this issue Dec 15, 2018
Merged
MikeRalphson added a commit that referenced this issue Dec 15, 2018
@MikeRalphson
fix [Object object], refs #8
ba715f3
MikeRalphson added a commit that referenced this issue Dec 16, 2018
@MikeRalphson
fix for undefined, refs #8
483bd4a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mterrel